The present invention relates to the field of virtualization and more particularly to patch updating virtualized computing environments.
Virtualization as a technology aims to interject a layer between the hardware platform and operating system and executing applications. In a server running in a non-virtualized environment, there is typically one operating system, which may in turn run multiple applications. In a virtual environment a single server is logically partitioned into multiple environments each of which may run multiple operating systems and multiple applications. Virtualization therefore, allows users to consolidate multiple physical machines into one physical machine by having the one physical machine support multiple virtual environments. Virtualization has proven useful for those end users requiring separate computing environments for different types of applications while in fact only deploying a single hardware platform.
The hypervisor has become a ubiquitous virtualization layer for client and server systems designed to isolate a guest operating system by running the operating system in an isolated run-time environment on a single hardware platform. The virtualized environment provided by the hypervisor may ensure a degree of security by isolating the operating system from other guest operating systems sharing the same hardware platform.
In the virtualized environment, vulnerabilities can be identified in one or more of the computing environments consolidated in a virtualized environment. As vulnerabilities are identified, patches can be applied to rectify the identified vulnerabilities. To that end, patch management and the updating of VM images in a virtualized environment remains an area that can be especially important in respect to virtualization security. Referring to FIG. 1, a conventional virtualization data processing system can be configured to update VM images.
As shown in FIG. 1, a host computing platform 110 can support the operation of a hypervisor 120 managing multiple different VM images 160, 161, 162. Each of the VM images 160, 161, 162 can provide a computing environment for one or more corresponding applications 170 marked App. The hypervisor 120 can establish a configuration 150 for each different one of the VM images 160, 161, 162 specifying requisite access to computing resources 130 provided by the host computing platform 110, for instance processor, memory, file system, communications.
Notably, the VM images 160, 161, 162 are vulnerable to attacks 140, 141 until patch 195 from different patch sites 190 is applied. Thus, the skilled artisan will recognize that security controls for protecting the computing environments 160, 161, 162 etc. rely on the security provided by those computing environments. Therefore when VM images 160, 161, 162 are individually instantiated without respective patch 195, those VM images 160, 161, 162 remain vulnerable to attacks 140, 141. This vulnerability persists until the patch 195 is individually applied over computer communications network 180.
Of importance, the ability to suspend a VM image in its current state permits a suspended instance VM image to be released from suspension and re-activated in a vulnerable state—that is a state where patches have not yet been applied to the VM image.